I have Kerberos 1.6 configured to use OpenLDAP 2.3.43 as a back end. I
am trying to configure Freeradius 2.1.7 to authenticate to Kerberos.
I am having problems getting Freeradiusto authenticate while started
in daemon mode. When the process is started in debug mode it seems to
funciton, but authentications while in daemon mode return the error:
Auth: rlm_krb5: [test1@CSP-BACK] krb5_rd_req() failed: Permission denied in
replay cache code
Since authentication works in debug mode I'm not sure what I can give
to support the error besides the krb5kdc/slapd/radius log outputs and
the client side output. Functional output of debug mode is included as
well. I appreciate any help you can provide. If I should post any
config files please let me know what you would like to see. Thank you
very much.
*client side output*
radtest test1@CSP-BACK qwer krb 1812 SharedSecret
Sending Access-Request of id 213 to [SERVER IP ADDRESS ] port 1812
User-Name = test1@CSP-BACK
User-Password = qwer
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
rad_recv: Access-Reject packet from host [SERVER IP ADDRESS ] port
1812, id=213, length=20
***
*radius log*
Tue Jun 14 16:17:23 2011 : Auth: rlm_krb5: [test1@CSP-BACK]
krb5_rd_req() failed: Permission denied in replay cache code
***
*krb5kdc log*
Jun 14 16:17:22 krb.csp krb5kdc[10954](info): AS_REQ (12 etypes {18 17
16 23 1 3 2 11 10 15 12 13}) [SERVER IP ADDRESS ]: ISSUE: authtime
1308082642, etypes {rep=18 tkt=18 ses=18}, test1@CSP-BACK for
krbtgt/CSP-BACK@CSP-BACK
Jun 14 16:17:23 krb.csp krb5kdc[10954](info): TGS_REQ (7 etypes {18 17
16 23 1 3 2}) [SERVER IP ADDRESS ]: ISSUE: authtime 1308082642,
etypes {rep=18 tkt=18 ses=18}, test1@CSP-BACK for
radius/krb.csp@CSP-BACK
*slapd log*
Jun 14 16:17:22 krb slapd[10742]: conn=9 op=54 SRCH
base=cn=KRB,dc=CSPKRB scope=2 deref=0
filter=((|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=test1@CSP-BACK))
Jun 14 16:17:22 krb slapd[10742]: conn=9 op=54 SRCH
attr=krbprincipalname objectclass krbprincipalkey krbmaxrenewableage
krbmaxticketlife krbticketflags krbprincipalexpiration
krbticketpolicyreference krbUpEnabled krbpwdpolicyreference
krbpasswordexpiration krbLastFailedAuth krbLoginFailedCount
krbLastSuccessfulAuth nsaccountlock loginexpirationtime logindisabled
modifytimestamp krbLastPwdChange krbExtraData krbObjectReferences
Jun 14 16:17:22 krb slapd[10742]: conn=9 op=54 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jun 14 16:17:22 krb slapd[10742]: conn=9 op=55 SRCH
base=cn=KRB,dc=CSPKRB scope=2 deref=0
filter=((|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=krbtgt/CSP-BACK@CSP-BACK))
Jun 14 16:17:22 krb slapd[10742]: conn=9 op=55 SRCH
attr=krbprincipalname objectclass krbprincipalkey krbmaxrenewableage
krbmaxticketlife krbticketflags krbprincipalexpiration
krbticketpolicyreference krbUpEnabled krbpwdpolicyreference
krbpasswordexpiration krbLastFailedAuth krbLoginFailedCount
krbLastSuccessfulAuth nsaccountlock loginexpirationtime logindisabled
modifytimestamp krbLastPwdChange krbExtraData krbObjectReferences
Jun 14 16:17:22 krb slapd[10742]: conn=9 op=55 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jun 14 16:17:23 krb slapd[10742]: conn=9 op=56 SRCH
base=cn=KRB,dc=CSPKRB scope=2 deref=0
filter=((|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=krbtgt/CSP-BACK@CSP-BACK))
Jun 14 16:17:23 krb slapd[10742]: conn=9 op=56 SRCH
attr=krbprincipalname objectclass krbprincipalkey krbmaxrenewableage
krbmaxticketlife krbticketflags krbprincipalexpiration
krbticketpolicyreference krbUpEnabled krbpwdpolicyreference
krbpasswordexpiration krbLastFailedAuth krbLoginFailedCount
krbLastSuccessfulAuth nsaccountlock loginexpirationtime logindisabled
modifytimestamp krbLastPwdChange krbExtraData krbObjectReferences
Jun 14 16:17:23 krb slapd[10742]: conn=9 op=56 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jun 14 16:17:23 krb slapd[10742]: conn=9 op=57 SRCH
base=cn=KRB,dc=CSPKRB scope=2 deref=0
filter=((|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=radius/krb.csp@CSP-BACK))
Jun 14 16:17:23 krb slapd[10742]: conn=9 op=57 SRCH
attr=krbprincipalname objectclass krbprincipalkey krbmaxrenewableage
krbmaxticketlife krbticketflags krbprincipalexpiration
krbticketpolicyreference krbUpEnabled krbpwdpolicyreference
krbpasswordexpiration krbLastFailedAuth krbLoginFailedCount
krbLastSuccessfulAuth nsaccountlock loginexpirationtime logindisabled
modifytimestamp krbLastPwdChange krbExtraData krbObjectReferences
Jun 14 16:17:23 krb slapd[10742]: conn=9 op=57 SEARCH RESULT tag=101
err=0 nentries=1 text=